mirror of
https://github.com/pocoproject/poco.git
synced 2025-04-01 17:25:03 +02:00
fix style
This commit is contained in:
parent
a2322be390
commit
38c9328db6
@ -44,7 +44,7 @@ class NetSSL_API Context: public Poco::RefCountedObject
|
||||
{
|
||||
public:
|
||||
typedef Poco::AutoPtr<Context> Ptr;
|
||||
|
||||
|
||||
enum Usage
|
||||
{
|
||||
CLIENT_USE, /// Context is used by a client.
|
||||
@ -56,44 +56,44 @@ public:
|
||||
TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
|
||||
TLSV1_2_SERVER_USE /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
|
||||
};
|
||||
|
||||
enum VerificationMode
|
||||
|
||||
enum VerificationMode
|
||||
{
|
||||
VERIFY_NONE = SSL_VERIFY_NONE,
|
||||
/// Server: The server will not send a client certificate
|
||||
/// request to the client, so the client will not send a certificate.
|
||||
VERIFY_NONE = SSL_VERIFY_NONE,
|
||||
/// Server: The server will not send a client certificate
|
||||
/// request to the client, so the client will not send a certificate.
|
||||
///
|
||||
/// Client: If not using an anonymous cipher (by default disabled),
|
||||
/// Client: If not using an anonymous cipher (by default disabled),
|
||||
/// the server will send a certificate which will be checked, but
|
||||
/// the result of the check will be ignored.
|
||||
|
||||
VERIFY_RELAXED = SSL_VERIFY_PEER,
|
||||
/// Server: The server sends a client certificate request to the
|
||||
/// client. The certificate returned (if any) is checked.
|
||||
/// If the verification process fails, the TLS/SSL handshake is
|
||||
/// immediately terminated with an alert message containing the
|
||||
/// reason for the verification failure.
|
||||
///
|
||||
/// Client: The server certificate is verified, if one is provided.
|
||||
|
||||
VERIFY_RELAXED = SSL_VERIFY_PEER,
|
||||
/// Server: The server sends a client certificate request to the
|
||||
/// client. The certificate returned (if any) is checked.
|
||||
/// If the verification process fails, the TLS/SSL handshake is
|
||||
/// immediately terminated with an alert message containing the
|
||||
/// reason for the verification failure.
|
||||
|
||||
VERIFY_STRICT = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
||||
/// Server: If the client did not return a certificate, the TLS/SSL
|
||||
/// handshake is immediately terminated with a handshake failure
|
||||
/// alert.
|
||||
/// immediately terminated with an alert message containing the
|
||||
/// reason for the verification failure.
|
||||
///
|
||||
/// Client: Same as VERIFY_RELAXED.
|
||||
|
||||
/// Client: The server certificate is verified, if one is provided.
|
||||
/// If the verification process fails, the TLS/SSL handshake is
|
||||
/// immediately terminated with an alert message containing the
|
||||
/// reason for the verification failure.
|
||||
|
||||
VERIFY_STRICT = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
||||
/// Server: If the client did not return a certificate, the TLS/SSL
|
||||
/// handshake is immediately terminated with a handshake failure
|
||||
/// alert.
|
||||
///
|
||||
/// Client: Same as VERIFY_RELAXED.
|
||||
|
||||
VERIFY_ONCE = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE
|
||||
/// Server: Only request a client certificate on the initial
|
||||
/// TLS/SSL handshake. Do not ask for a client certificate
|
||||
/// Server: Only request a client certificate on the initial
|
||||
/// TLS/SSL handshake. Do not ask for a client certificate
|
||||
/// again in case of a renegotiation.
|
||||
///
|
||||
/// Client: Same as VERIFY_RELAXED.
|
||||
/// Client: Same as VERIFY_RELAXED.
|
||||
};
|
||||
|
||||
|
||||
enum Protocols
|
||||
{
|
||||
PROTO_SSLV2 = 0x01,
|
||||
@ -102,7 +102,7 @@ public:
|
||||
PROTO_TLSV1_1 = 0x08,
|
||||
PROTO_TLSV1_2 = 0x10
|
||||
};
|
||||
|
||||
|
||||
struct Params
|
||||
{
|
||||
Params();
|
||||
@ -116,16 +116,16 @@ public:
|
||||
/// Path to the certificate file (in PEM format).
|
||||
/// If the private key and the certificate are stored in the same file, this
|
||||
/// can be empty if privateKeyFile is given.
|
||||
|
||||
|
||||
std::string caLocation;
|
||||
/// Path to the file or directory containing the CA/root certificates.
|
||||
/// Path to the file or directory containing the CA/root certificates.
|
||||
/// Can be empty if the OpenSSL builtin CA certificates
|
||||
/// are used (see loadDefaultCAs).
|
||||
|
||||
VerificationMode verificationMode;
|
||||
/// Specifies whether and how peer certificates are validated.
|
||||
/// Defaults to VERIFY_RELAXED.
|
||||
|
||||
|
||||
int verificationDepth;
|
||||
/// Sets the upper limit for verification chain sizes. Verification
|
||||
/// will fail if a certificate chain larger than this is encountered.
|
||||
@ -134,11 +134,11 @@ public:
|
||||
bool loadDefaultCAs;
|
||||
/// Specifies whether the builtin CA certificates from OpenSSL are used.
|
||||
/// Defaults to false.
|
||||
|
||||
|
||||
std::string cipherList;
|
||||
/// Specifies the supported ciphers in OpenSSL notation.
|
||||
/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
|
||||
|
||||
|
||||
std::string dhParamsFile;
|
||||
/// Specifies a file containing Diffie-Hellman parameters.
|
||||
/// If empty, the default parameters are used.
|
||||
@ -151,7 +151,7 @@ public:
|
||||
|
||||
Context(Usage usage, const Params& params);
|
||||
/// Creates a Context using the given parameters.
|
||||
///
|
||||
///
|
||||
/// * usage specifies whether the context is used by a client or server.
|
||||
/// * params specifies the context parameters.
|
||||
|
||||
@ -159,13 +159,13 @@ public:
|
||||
Usage usage,
|
||||
const std::string& privateKeyFile,
|
||||
const std::string& certificateFile,
|
||||
const std::string& caLocation,
|
||||
const std::string& caLocation,
|
||||
VerificationMode verificationMode = VERIFY_RELAXED,
|
||||
int verificationDepth = 9,
|
||||
bool loadDefaultCAs = false,
|
||||
const std::string& cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
|
||||
/// Creates a Context.
|
||||
///
|
||||
///
|
||||
/// * usage specifies whether the context is used by a client or server.
|
||||
/// * privateKeyFile contains the path to the private key file used for encryption.
|
||||
/// Can be empty if no private key file is used.
|
||||
@ -187,13 +187,13 @@ public:
|
||||
|
||||
Context(
|
||||
Usage usage,
|
||||
const std::string& caLocation,
|
||||
const std::string& caLocation,
|
||||
VerificationMode verificationMode = VERIFY_RELAXED,
|
||||
int verificationDepth = 9,
|
||||
bool loadDefaultCAs = false,
|
||||
const std::string& cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
|
||||
/// Creates a Context.
|
||||
///
|
||||
///
|
||||
/// * usage specifies whether the context is used by a client or server.
|
||||
/// * caLocation contains the path to the file or directory containing the
|
||||
/// CA/root certificates. Can be empty if the OpenSSL builtin CA certificates
|
||||
@ -210,9 +210,6 @@ public:
|
||||
~Context();
|
||||
/// Destroys the Context.
|
||||
|
||||
void addCertificateAuthority(const Poco::Crypto::X509Certificate& certificate);
|
||||
/// Add one trusted certification authority to be used by the Context.
|
||||
|
||||
void useCertificate(const Poco::Crypto::X509Certificate& certificate);
|
||||
/// Sets the certificate to be used by the Context.
|
||||
///
|
||||
@ -222,10 +219,13 @@ public:
|
||||
///
|
||||
/// Note that useCertificate() must always be called before
|
||||
/// usePrivateKey().
|
||||
|
||||
|
||||
void addChainCertificate(const Poco::Crypto::X509Certificate& certificate);
|
||||
/// Adds a certificate for certificate chain validation.
|
||||
|
||||
|
||||
void addCertificateAuthority(const Poco::Crypto::X509Certificate& certificate);
|
||||
/// Add one trusted certification authority to be used by the Context.
|
||||
|
||||
void usePrivateKey(const Poco::Crypto::RSAKey& key);
|
||||
/// Sets the private key to be used by the Context.
|
||||
///
|
||||
@ -242,13 +242,13 @@ public:
|
||||
Usage usage() const;
|
||||
/// Returns whether the context is for use by a client or by a server
|
||||
/// and whether TLSv1 is required.
|
||||
|
||||
|
||||
bool isForServerUse() const;
|
||||
/// Returns true iff the context is for use by a server.
|
||||
|
||||
Context::VerificationMode verificationMode() const;
|
||||
/// Returns the verification mode.
|
||||
|
||||
|
||||
void enableSessionCache(bool flag = true);
|
||||
/// Enable or disable SSL/TLS session caching.
|
||||
/// For session caching to work, it must be enabled
|
||||
@ -268,7 +268,7 @@ public:
|
||||
/// SessionIdContext contains the application's unique
|
||||
/// session ID context, which becomes part of each
|
||||
/// session identifier generated by the server within this
|
||||
/// context. SessionIdContext can be an arbitrary sequence
|
||||
/// context. SessionIdContext can be an arbitrary sequence
|
||||
/// of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH.
|
||||
///
|
||||
/// A non-empty sessionIdContext should be specified even if
|
||||
@ -276,10 +276,10 @@ public:
|
||||
/// requesting to reuse a session (e.g. Firefox 3.6).
|
||||
///
|
||||
/// This method may only be called on SERVER_USE Context objects.
|
||||
|
||||
|
||||
bool sessionCacheEnabled() const;
|
||||
/// Returns true iff the session cache is enabled.
|
||||
|
||||
|
||||
void setSessionCacheSize(std::size_t size);
|
||||
/// Sets the maximum size of the server session cache, in number of
|
||||
/// sessions. The default size (according to OpenSSL documentation)
|
||||
@ -289,12 +289,12 @@ public:
|
||||
/// Specifying a size of 0 will set an unlimited cache size.
|
||||
///
|
||||
/// This method may only be called on SERVER_USE Context objects.
|
||||
|
||||
|
||||
std::size_t getSessionCacheSize() const;
|
||||
/// Returns the current maximum size of the server session cache.
|
||||
///
|
||||
/// This method may only be called on SERVER_USE Context objects.
|
||||
|
||||
|
||||
void setSessionTimeout(long seconds);
|
||||
/// Sets the timeout (in seconds) of cached sessions on the server.
|
||||
/// A cached session will be removed from the cache if it has
|
||||
@ -311,44 +311,44 @@ public:
|
||||
/// Flushes the SSL session cache on the server.
|
||||
///
|
||||
/// This method may only be called on SERVER_USE Context objects.
|
||||
|
||||
|
||||
void enableExtendedCertificateVerification(bool flag = true);
|
||||
/// Enable or disable the automatic post-connection
|
||||
/// extended certificate verification.
|
||||
///
|
||||
/// See X509Certificate::verify() for more information.
|
||||
|
||||
|
||||
bool extendedCertificateVerificationEnabled() const;
|
||||
/// Returns true iff automatic extended certificate
|
||||
/// Returns true iff automatic extended certificate
|
||||
/// verification is enabled.
|
||||
|
||||
|
||||
void disableStatelessSessionResumption();
|
||||
/// Newer versions of OpenSSL support RFC 4507 tickets for stateless
|
||||
/// session resumption.
|
||||
///
|
||||
/// The feature can be disabled by calling this method.
|
||||
|
||||
|
||||
void disableProtocols(int protocols);
|
||||
/// Disables the given protocols.
|
||||
///
|
||||
/// The protocols to be disabled are specified by OR-ing
|
||||
/// The protocols to be disabled are specified by OR-ing
|
||||
/// values from the Protocols enumeration, e.g.:
|
||||
///
|
||||
/// context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3);
|
||||
|
||||
|
||||
void preferServerCiphers();
|
||||
/// When choosing a cipher, use the server's preferences instead of the client
|
||||
/// preferences. When not called, the SSL server will always follow the clients
|
||||
/// preferences. When called, the SSL/TLS server will choose following its own
|
||||
/// When choosing a cipher, use the server's preferences instead of the client
|
||||
/// preferences. When not called, the SSL server will always follow the clients
|
||||
/// preferences. When called, the SSL/TLS server will choose following its own
|
||||
/// preferences.
|
||||
|
||||
private:
|
||||
void init(const Params& params);
|
||||
/// Initializes the Context with the given parameters.
|
||||
|
||||
|
||||
void initDH(const std::string& dhFile);
|
||||
/// Initializes the Context with Diffie-Hellman parameters.
|
||||
|
||||
|
||||
void initECDH(const std::string& curve);
|
||||
/// Initializes the Context with Elliptic-Curve Diffie-Hellman key
|
||||
/// exchange curve parameters.
|
||||
|
@ -51,9 +51,9 @@ Context::Context(Usage usage, const Params& params):
|
||||
|
||||
Context::Context(
|
||||
Usage usage,
|
||||
const std::string& privateKeyFile,
|
||||
const std::string& privateKeyFile,
|
||||
const std::string& certificateFile,
|
||||
const std::string& caLocation,
|
||||
const std::string& caLocation,
|
||||
VerificationMode verificationMode,
|
||||
int verificationDepth,
|
||||
bool loadDefaultCAs,
|
||||
@ -77,7 +77,7 @@ Context::Context(
|
||||
|
||||
Context::Context(
|
||||
Usage usage,
|
||||
const std::string& caLocation,
|
||||
const std::string& caLocation,
|
||||
VerificationMode verificationMode,
|
||||
int verificationDepth,
|
||||
bool loadDefaultCAs,
|
||||
@ -114,7 +114,7 @@ Context::~Context()
|
||||
void Context::init(const Params& params)
|
||||
{
|
||||
Poco::Crypto::OpenSSLInitializer::initialize();
|
||||
|
||||
|
||||
createSSLContext();
|
||||
|
||||
try
|
||||
@ -173,7 +173,7 @@ void Context::init(const Params& params)
|
||||
SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
|
||||
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
|
||||
|
||||
|
||||
initDH(params.dhParamsFile);
|
||||
initECDH(params.ecdhCurve);
|
||||
}
|
||||
@ -185,25 +185,6 @@ void Context::init(const Params& params)
|
||||
}
|
||||
|
||||
|
||||
void Context::addCertificateAuthority(const Crypto::X509Certificate &certificate)
|
||||
{
|
||||
if (X509_STORE* store = SSL_CTX_get_cert_store(_pSSLContext))
|
||||
{
|
||||
int errCode = X509_STORE_add_cert(store, const_cast<X509*>(certificate.certificate()));
|
||||
if (errCode != 1)
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException("Cannot add certificate authority for Context", msg);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException("Cannot add certificate authority for Context", msg);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void Context::useCertificate(const Poco::Crypto::X509Certificate& certificate)
|
||||
{
|
||||
int errCode = SSL_CTX_use_certificate(_pSSLContext, const_cast<X509*>(certificate.certificate()));
|
||||
@ -214,7 +195,7 @@ void Context::useCertificate(const Poco::Crypto::X509Certificate& certificate)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
void Context::addChainCertificate(const Poco::Crypto::X509Certificate& certificate)
|
||||
{
|
||||
int errCode = SSL_CTX_add_extra_chain_cert(_pSSLContext, certificate.certificate());
|
||||
@ -225,7 +206,26 @@ void Context::addChainCertificate(const Poco::Crypto::X509Certificate& certifica
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
void Context::addCertificateAuthority(const Crypto::X509Certificate &certificate)
|
||||
{
|
||||
if (X509_STORE* store = SSL_CTX_get_cert_store(_pSSLContext))
|
||||
{
|
||||
int errCode = X509_STORE_add_cert(store, const_cast<X509*>(certificate.certificate()));
|
||||
if (errCode != 1)
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException("Cannot add certificate authority to Context", msg);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException("Cannot add certificate authority to Context", msg);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void Context::usePrivateKey(const Poco::Crypto::RSAKey& key)
|
||||
{
|
||||
int errCode = SSL_CTX_use_RSAPrivateKey(_pSSLContext, key.impl()->getRSA());
|
||||
@ -262,7 +262,7 @@ void Context::enableSessionCache(bool flag, const std::string& sessionIdContext)
|
||||
{
|
||||
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
|
||||
}
|
||||
|
||||
|
||||
unsigned length = static_cast<unsigned>(sessionIdContext.length());
|
||||
if (length > SSL_MAX_SSL_SESSION_ID_LENGTH) length = SSL_MAX_SSL_SESSION_ID_LENGTH;
|
||||
int rc = SSL_CTX_set_session_id_context(_pSSLContext, reinterpret_cast<const unsigned char*>(sessionIdContext.data()), length);
|
||||
@ -279,15 +279,15 @@ bool Context::sessionCacheEnabled() const
|
||||
void Context::setSessionCacheSize(std::size_t size)
|
||||
{
|
||||
poco_assert (isForServerUse());
|
||||
|
||||
|
||||
SSL_CTX_sess_set_cache_size(_pSSLContext, static_cast<long>(size));
|
||||
}
|
||||
|
||||
|
||||
|
||||
std::size_t Context::getSessionCacheSize() const
|
||||
{
|
||||
poco_assert (isForServerUse());
|
||||
|
||||
|
||||
return static_cast<std::size_t>(SSL_CTX_sess_get_cache_size(_pSSLContext));
|
||||
}
|
||||
|
||||
@ -308,7 +308,7 @@ long Context::getSessionTimeout() const
|
||||
}
|
||||
|
||||
|
||||
void Context::flushSessionCache()
|
||||
void Context::flushSessionCache()
|
||||
{
|
||||
poco_assert (isForServerUse());
|
||||
|
||||
@ -430,7 +430,7 @@ void Context::createSSLContext()
|
||||
throw Poco::InvalidArgumentException("Invalid or unsupported usage");
|
||||
}
|
||||
}
|
||||
if (!_pSSLContext)
|
||||
if (!_pSSLContext)
|
||||
{
|
||||
unsigned long err = ERR_get_error();
|
||||
throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0));
|
||||
@ -456,7 +456,7 @@ void Context::initDH(const std::string& dhParamsFile)
|
||||
// -----END DH PARAMETERS-----
|
||||
//
|
||||
|
||||
static const unsigned char dh1024_p[] =
|
||||
static const unsigned char dh1024_p[] =
|
||||
{
|
||||
0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
|
||||
0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
|
||||
@ -471,7 +471,7 @@ void Context::initDH(const std::string& dhParamsFile)
|
||||
0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
|
||||
};
|
||||
|
||||
static const unsigned char dh1024_g[] =
|
||||
static const unsigned char dh1024_g[] =
|
||||
{
|
||||
0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
|
||||
0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
|
||||
@ -487,26 +487,26 @@ void Context::initDH(const std::string& dhParamsFile)
|
||||
};
|
||||
|
||||
DH* dh = 0;
|
||||
if (!dhParamsFile.empty())
|
||||
if (!dhParamsFile.empty())
|
||||
{
|
||||
BIO* bio = BIO_new_file(dhParamsFile.c_str(), "r");
|
||||
if (!bio)
|
||||
if (!bio)
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException(std::string("Error opening Diffie-Hellman parameters file ") + dhParamsFile, msg);
|
||||
}
|
||||
dh = PEM_read_bio_DHparams(bio, 0, 0, 0);
|
||||
BIO_free(bio);
|
||||
if (!dh)
|
||||
if (!dh)
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException(std::string("Error reading Diffie-Hellman parameters from file ") + dhParamsFile, msg);
|
||||
}
|
||||
}
|
||||
else
|
||||
}
|
||||
else
|
||||
{
|
||||
dh = DH_new();
|
||||
if (!dh)
|
||||
if (!dh)
|
||||
{
|
||||
std::string msg = Utility::getLastError();
|
||||
throw SSLContextException("Error creating Diffie-Hellman parameters", msg);
|
||||
@ -525,7 +525,7 @@ void Context::initDH(const std::string& dhParamsFile)
|
||||
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), 0);
|
||||
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), 0);
|
||||
dh->length = 160;
|
||||
if ((!dh->p) || (!dh->g))
|
||||
if ((!dh->p) || (!dh->g))
|
||||
{
|
||||
DH_free(dh);
|
||||
throw SSLContextException("Error creating Diffie-Hellman parameters");
|
||||
@ -541,27 +541,27 @@ void Context::initDH(const std::string& dhParamsFile)
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
|
||||
void Context::initECDH(const std::string& curve)
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
int nid = 0;
|
||||
if (!curve.empty())
|
||||
if (!curve.empty())
|
||||
{
|
||||
nid = OBJ_sn2nid(curve.c_str());
|
||||
}
|
||||
else
|
||||
}
|
||||
else
|
||||
{
|
||||
nid = OBJ_sn2nid("prime256v1");
|
||||
}
|
||||
if (nid == 0)
|
||||
if (nid == 0)
|
||||
{
|
||||
throw SSLContextException("Unknown ECDH curve name", curve);
|
||||
}
|
||||
|
||||
EC_KEY* ecdh = EC_KEY_new_by_curve_name(nid);
|
||||
if (!ecdh)
|
||||
if (!ecdh)
|
||||
{
|
||||
throw SSLContextException("Cannot create ECDH curve");
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user